gorsee 0.2.4 → 0.2.6

package/src/runtime/validated-form.ts

@@ -1,106 +0,0 @@
-// Type-safe validated forms with branded types
-// Combines client-side validation with server-side action safety
-
-export interface FieldRule {
-  required?: boolean
-  minLength?: number
-  maxLength?: number
-  pattern?: RegExp
-  min?: number
-  max?: number
-  custom?: (value: string) => string | null  // return error message or null
-}
-
-export interface FormField {
-  name: string
-  rules: FieldRule
-  label?: string
-}
-
-export interface FormSchema {
-  fields: FormField[]
-}
-
-export interface ValidationError {
-  field: string
-  message: string
-}
-
-export interface ValidationResult<T> {
-  valid: boolean
-  data: T | null
-  errors: ValidationError[]
-}
-
-/** Define a form schema for validation */
-export function defineForm(fields: FormField[]): FormSchema {
-  return { fields }
-}
-
-function validateField(value: string | undefined, field: FormField): string | null {
-  const { rules, label } = field
-  const name = label ?? field.name
-  const v = value ?? ""
-
-  if (rules.required && !v.trim()) return `${name} is required`
-  if (!v && !rules.required) return null
-  if (rules.minLength !== undefined && v.length < rules.minLength)
-    return `${name} must be at least ${rules.minLength} characters`
-  if (rules.maxLength !== undefined && v.length > rules.maxLength)
-    return `${name} must be at most ${rules.maxLength} characters`
-  if (rules.pattern && !rules.pattern.test(v)) return `${name} format is invalid`
-  if (rules.min !== undefined && Number(v) < rules.min) return `${name} must be at least ${rules.min}`
-  if (rules.max !== undefined && Number(v) > rules.max) return `${name} must be at most ${rules.max}`
-  if (rules.custom) return rules.custom(v)
-  return null
-}
-
-/** Validate form data against schema */
-export function validateForm<T extends Record<string, string>>(
-  data: Record<string, string>,
-  schema: FormSchema,
-): ValidationResult<T> {
-  const errors: ValidationError[] = []
-
-  for (const field of schema.fields) {
-    const error = validateField(data[field.name], field)
-    if (error) errors.push({ field: field.name, message: error })
-  }
-
-  return {
-    valid: errors.length === 0,
-    data: errors.length === 0 ? (data as T) : null,
-    errors,
-  }
-}
-
-/** Server action helper: parse request and validate */
-export async function validateAction<T extends Record<string, string>>(
-  request: Request,
-  schema: FormSchema,
-): Promise<ValidationResult<T>> {
-  const contentType = request.headers.get("content-type") ?? ""
-  let data: Record<string, string>
-
-  if (contentType.includes("application/json")) {
-    data = await request.json()
-  } else {
-    const formData = await request.formData()
-    data = {}
-    formData.forEach((v, k) => { data[k] = String(v) })
-  }
-
-  return validateForm<T>(data, schema)
-}
-
-/** Generate client-side validation attributes for HTML inputs */
-export function fieldAttrs(field: FormField): Record<string, unknown> {
-  const attrs: Record<string, unknown> = { name: field.name }
-  if (field.rules.required) attrs.required = true
-  if (field.rules.minLength !== undefined) attrs.minlength = field.rules.minLength
-  if (field.rules.maxLength !== undefined) attrs.maxlength = field.rules.maxLength
-  if (field.rules.pattern) attrs.pattern = field.rules.pattern.source
-  if (field.rules.min !== undefined) attrs.min = field.rules.min
-  if (field.rules.max !== undefined) attrs.max = field.rules.max
-  return attrs
-}

package/src/security/cors.ts

@@ -1,80 +0,0 @@
-// CORS middleware — configurable Cross-Origin Resource Sharing
-
-import type { MiddlewareFn } from "../server/middleware.ts"
-
-export interface CORSOptions {
-  origin?: string | string[] | ((origin: string) => boolean)
-  methods?: string[]
-  allowHeaders?: string[]
-  exposeHeaders?: string[]
-  credentials?: boolean
-  maxAge?: number
-}
-
-const DEFAULT_METHODS = ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]
-const DEFAULT_HEADERS = ["Content-Type", "Authorization", "X-Requested-With"]
-
-function isOriginAllowed(origin: string, allowed: CORSOptions["origin"]): boolean {
-  if (!allowed) return false
-  if (allowed === "*") return true
-  if (typeof allowed === "string") return origin === allowed
-  if (Array.isArray(allowed)) return allowed.includes(origin)
-  if (typeof allowed === "function") return allowed(origin)
-  return false
-}
-
-export function cors(options: CORSOptions = {}): MiddlewareFn {
-  const {
-    origin = "*",
-    methods = DEFAULT_METHODS,
-    allowHeaders = DEFAULT_HEADERS,
-    exposeHeaders = [],
-    credentials = false,
-    maxAge = 86400,
-  } = options
-
-  return async (ctx, next) => {
-    const requestOrigin = ctx.request.headers.get("origin") ?? ""
-
-    // Preflight
-    if (ctx.request.method === "OPTIONS") {
-      const headers = new Headers()
-
-      if (origin === "*" && !credentials) {
-        headers.set("Access-Control-Allow-Origin", "*")
-      } else if (isOriginAllowed(requestOrigin, origin)) {
-        headers.set("Access-Control-Allow-Origin", requestOrigin)
-        headers.set("Vary", "Origin")
-      }
-
-      headers.set("Access-Control-Allow-Methods", methods.join(", "))
-      headers.set("Access-Control-Allow-Headers", allowHeaders.join(", "))
-      if (exposeHeaders.length > 0) {
-        headers.set("Access-Control-Expose-Headers", exposeHeaders.join(", "))
-      }
-      if (credentials) headers.set("Access-Control-Allow-Credentials", "true")
-      headers.set("Access-Control-Max-Age", String(maxAge))
-
-      return new Response(null, { status: 204, headers })
-    }
-
-    // Actual request
-    const response = await next()
-
-    if (origin === "*" && !credentials) {
-      response.headers.set("Access-Control-Allow-Origin", "*")
-    } else if (isOriginAllowed(requestOrigin, origin)) {
-      response.headers.set("Access-Control-Allow-Origin", requestOrigin)
-      response.headers.append("Vary", "Origin")
-    }
-
-    if (credentials) {
-      response.headers.set("Access-Control-Allow-Credentials", "true")
-    }
-    if (exposeHeaders.length > 0) {
-      response.headers.set("Access-Control-Expose-Headers", exposeHeaders.join(", "))
-    }
-
-    return response
-  }
-}

package/src/security/csrf.ts

@@ -1,85 +0,0 @@
-// CSRF protection using Signed Double-Submit Cookie pattern
-// Works for both SSR (token in HTML) and SPA (cookie-based)
-
-import { timingSafeEqual } from "node:crypto"
-
-const CSRF_COOKIE = "__gorsee_csrf"
-const CSRF_HEADER = "x-gorsee-csrf"
-const TOKEN_LENGTH = 32
-
-function randomBytes(length: number): string {
-  const bytes = new Uint8Array(length)
-  crypto.getRandomValues(bytes)
-  return Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("")
-}
-
-async function hmacSign(token: string, secret: string): Promise<string> {
-  const key = await crypto.subtle.importKey(
-    "raw",
-    new TextEncoder().encode(secret),
-    { name: "HMAC", hash: "SHA-256" },
-    false,
-    ["sign"]
-  )
-  const sig = await crypto.subtle.sign(
-    "HMAC",
-    key,
-    new TextEncoder().encode(token)
-  )
-  return Array.from(new Uint8Array(sig), (b) => b.toString(16).padStart(2, "0")).join("")
-}
-
-export function generateCSRFToken(): string {
-  return randomBytes(TOKEN_LENGTH)
-}
-
-export async function validateCSRFToken(
-  request: Request,
-  secret: string
-): Promise<boolean> {
-  // Skip safe methods
-  if (["GET", "HEAD", "OPTIONS"].includes(request.method)) return true
-
-  const cookieHeader = request.headers.get("cookie") ?? ""
-  const headerToken = request.headers.get(CSRF_HEADER) ?? ""
-
-  // Parse cookie
-  let cookieToken = ""
-  for (const pair of cookieHeader.split(";")) {
-    const [key, ...rest] = pair.trim().split("=")
-    if (key === CSRF_COOKIE) {
-      cookieToken = rest.join("=")
-      break
-    }
-  }
-
-  if (!cookieToken || !headerToken) return false
-
-  // Verify: cookie contains "token.signature", header contains "token"
-  const [token, signature] = cookieToken.split(".")
-  if (!token || !signature) return false
-
-  // Header must match token part of cookie
-  if (headerToken !== token) return false
-
-  // Verify HMAC signature (timing-safe comparison)
-  const expectedSig = await hmacSign(token, secret)
-  if (signature.length !== expectedSig.length) return false
-  return timingSafeEqual(Buffer.from(signature), Buffer.from(expectedSig))
-}
-
-export async function csrfProtection(secret: string): Promise<{
-  token: string
-  cookie: string
-  headerName: string
-}> {
-  const token = generateCSRFToken()
-  const signature = await hmacSign(token, secret)
-  const cookieValue = `${token}.${signature}`
-
-  return {
-    token,
-    cookie: `${CSRF_COOKIE}=${cookieValue}; Path=/; SameSite=Lax; Secure`,
-    headerName: CSRF_HEADER,
-  }
-}

package/src/security/headers.ts

@@ -1,50 +0,0 @@
-export interface SecurityConfig {
-  csp: boolean
-  hsts: boolean
-  csrf: boolean
-  rateLimit: { requests: number; window: string } | false
-  nonce?: string
-}
-
-const DEFAULT_CONFIG: SecurityConfig = {
-  csp: true,
-  hsts: true,
-  csrf: true,
-  rateLimit: { requests: 100, window: "1m" },
-}
-
-export function securityHeaders(
-  config: Partial<SecurityConfig> = {},
-  nonce?: string
-): Record<string, string> {
-  const cfg = { ...DEFAULT_CONFIG, ...config }
-  const headers: Record<string, string> = {}
-
-  if (cfg.csp) {
-    const scriptSrc = nonce ? `'nonce-${nonce}'` : "'self'"
-    headers["Content-Security-Policy"] = [
-      "default-src 'self'",
-      `script-src ${scriptSrc}`,
-      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: https:",
-      "font-src 'self'",
-      "connect-src 'self' ws: wss:",
-      "frame-ancestors 'none'",
-      "base-uri 'self'",
-      "form-action 'self'",
-    ].join("; ")
-  }
-
-  if (cfg.hsts) {
-    headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains; preload"
-  }
-
-  // Always set these
-  headers["X-Content-Type-Options"] = "nosniff"
-  headers["X-Frame-Options"] = "DENY"
-  headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
-  headers["X-XSS-Protection"] = "0" // Modern browsers: CSP is better
-  headers["Permissions-Policy"] = "camera=(), microphone=(), geolocation=()"
-
-  return headers
-}

package/src/security/index.ts

@@ -1,4 +0,0 @@
-export { securityHeaders, type SecurityConfig } from "./headers.ts"
-export { csrfProtection, generateCSRFToken, validateCSRFToken } from "./csrf.ts"
-export { createRateLimiter, type RateLimiter } from "./rate-limit.ts"
-export { cors, type CORSOptions } from "./cors.ts"

package/src/security/rate-limit.ts

@@ -1,80 +0,0 @@
-// In-memory token bucket rate limiter (for Bun runtime)
-// For Cloudflare Workers: use Durable Objects adapter (future)
-
-export interface RateLimiter {
-  check(key: string): { allowed: boolean; remaining: number; resetAt: number }
-  reset(key: string): void
-}
-
-interface Bucket {
-  tokens: number
-  lastRefill: number
-}
-
-function parseWindow(window: string): number {
-  const match = window.match(/^(\d+)(s|m|h)$/)
-  if (!match) throw new Error(`Invalid rate limit window: "${window}"`)
-  const value = Number(match[1])
-  switch (match[2]) {
-    case "s": return value * 1000
-    case "m": return value * 60_000
-    case "h": return value * 3_600_000
-    default: throw new Error(`Invalid unit: ${match[2]}`)
-  }
-}
-
-export function createRateLimiter(
-  maxRequests: number,
-  window: string
-): RateLimiter {
-  const windowMs = parseWindow(window)
-  const buckets = new Map<string, Bucket>()
-
-  // Cleanup old entries periodically
-  const CLEANUP_INTERVAL = Math.max(windowMs * 2, 60_000)
-  const cleanup = setInterval(() => {
-    const now = Date.now()
-    for (const [key, bucket] of buckets) {
-      if (now - bucket.lastRefill > windowMs * 2) {
-        buckets.delete(key)
-      }
-    }
-  }, CLEANUP_INTERVAL)
-
-  // Don't prevent process from exiting
-  if (typeof cleanup === "object" && "unref" in cleanup) {
-    (cleanup as NodeJS.Timeout).unref()
-  }
-
-  return {
-    check(key: string): { allowed: boolean; remaining: number; resetAt: number } {
-      const now = Date.now()
-      let bucket = buckets.get(key)
-
-      if (!bucket) {
-        bucket = { tokens: maxRequests, lastRefill: now }
-        buckets.set(key, bucket)
-      }
-
-      // Refill tokens based on elapsed time
-      const elapsed = now - bucket.lastRefill
-      if (elapsed >= windowMs) {
-        bucket.tokens = maxRequests
-        bucket.lastRefill = now
-      }
-
-      const resetAt = bucket.lastRefill + windowMs
-
-      if (bucket.tokens > 0) {
-        bucket.tokens--
-        return { allowed: true, remaining: bucket.tokens, resetAt }
-      }
-
-      return { allowed: false, remaining: 0, resetAt }
-    },
-
-    reset(key: string): void {
-      buckets.delete(key)
-    },
-  }
-}

package/src/server/action.ts

@@ -1,48 +0,0 @@
-// Server Actions -- form mutations with progressive enhancement
-// Usage in route:
-//   export const action = defineAction(async (ctx) => { ... })
-//
-// Client-side: submits via fetch, returns result
-// SSR: handles POST form submissions with redirect
-
-import type { Context } from "./middleware.ts"
-
-export type ActionFn<T = unknown> = (ctx: Context) => Promise<T | Response>
-
-export interface ActionResult<T = unknown> {
-  data?: T
-  error?: string
-  status: number
-}
-
-export function defineAction<T = unknown>(fn: ActionFn<T>): ActionFn<T> {
-  return fn
-}
-
-export async function handleAction<T>(
-  actionFn: ActionFn<T>,
-  ctx: Context,
-): Promise<ActionResult<T>> {
-  try {
-    const result = await actionFn(ctx)
-    if (result instanceof Response) {
-      return { status: result.status }
-    }
-    return { data: result, status: 200 }
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err)
-    return { error: message, status: 500 }
-  }
-}
-
-// Parse form data from request into a typed object
-export async function parseFormData(request: Request): Promise<Record<string, string>> {
-  const formData = await request.formData()
-  const result: Record<string, string> = {}
-  for (const [key, value] of formData.entries()) {
-    if (typeof value === "string") {
-      result[key] = value
-    }
-  }
-  return result
-}

package/src/server/cache-utils.ts

@@ -1,23 +0,0 @@
-import type { CacheEntry, CacheStore } from "./cache.ts"
-
-export function createNamespacedCacheStore(store: CacheStore, namespace: string): CacheStore {
-  const prefix = `${namespace}:`
-  return {
-    get: (key) => store.get(prefix + key),
-    set: async (key, entry) => { await store.set(prefix + key, entry) },
-    delete: async (key) => { await store.delete(prefix + key) },
-    clear: async () => {
-      const keys = await store.keys()
-      for await (const key of keys) {
-        if (key.startsWith(prefix)) await store.delete(key)
-      }
-    },
-    keys: async function* () {
-      const keys = await store.keys()
-      for await (const key of keys) {
-        if (!key.startsWith(prefix)) continue
-        yield key.slice(prefix.length)
-      }
-    },
-  }
-}

package/src/server/cache.ts

@@ -1,125 +0,0 @@
-// Route-level response cache with stale-while-revalidate
-// Usage: export const cache = { maxAge: 60, staleWhileRevalidate: 300 }
-
-import type { MiddlewareFn } from "./middleware.ts"
-
-export interface CacheOptions {
-  maxAge: number               // fresh cache TTL in seconds
-  staleWhileRevalidate?: number // serve stale while revalidating (seconds)
-  vary?: string[]              // cache key varies by these headers
-  key?: (url: URL) => string   // custom cache key generator
-  store?: CacheStore
-}
-
-type Awaitable<T> = T | Promise<T>
-
-export interface CacheEntry {
-  body: string
-  headers: Record<string, string>
-  status: number
-  createdAt: number
-  revalidating?: boolean
-}
-
-export interface CacheStore {
-  get(key: string): Awaitable<CacheEntry | undefined>
-  set(key: string, entry: CacheEntry): Awaitable<void>
-  delete(key: string): Awaitable<void>
-  clear(): Awaitable<void>
-  keys(): Awaitable<Iterable<string> | AsyncIterable<string>>
-}
-
-export function createMemoryCacheStore(): CacheStore {
-  const store = new Map<string, CacheEntry>()
-  return {
-    get: (key) => store.get(key),
-    set: (key, entry) => { store.set(key, entry) },
-    delete: (key) => { store.delete(key) },
-    clear: () => { store.clear() },
-    keys: () => store.keys(),
-  }
-}
-
-const defaultCacheStore = createMemoryCacheStore()
-
-function buildKey(url: URL, vary: string[], request: Request, customKey?: (url: URL) => string): string {
-  const base = customKey ? customKey(url) : url.pathname + url.search
-  if (vary.length === 0) return base
-  const varyParts = vary.map((h) => `${h}=${request.headers.get(h) ?? ""}`).join("&")
-  return `${base}?__vary=${varyParts}`
-}
-
-export function routeCache(options: CacheOptions): MiddlewareFn {
-  const { maxAge, staleWhileRevalidate = 0, vary = [], key: customKey, store = defaultCacheStore } = options
-
-  return async (ctx, next) => {
-    if (ctx.request.method !== "GET") return next()
-
-    const cacheKey = buildKey(ctx.url, vary, ctx.request, customKey)
-    const entry = await store.get(cacheKey)
-    const now = Date.now()
-
-    if (entry) {
-      const age = (now - entry.createdAt) / 1000
-      // Fresh — serve from cache
-      if (age < maxAge) {
-        return new Response(entry.body, {
-          status: entry.status,
-          headers: { ...entry.headers, "X-Cache": "HIT", "Age": String(Math.floor(age)) },
-        })
-      }
-      // Stale but within revalidation window — serve stale, revalidate in background
-      if (age < maxAge + staleWhileRevalidate && !entry.revalidating) {
-        entry.revalidating = true
-        revalidate(cacheKey, store, next)
-        return new Response(entry.body, {
-          status: entry.status,
-          headers: { ...entry.headers, "X-Cache": "STALE", "Age": String(Math.floor(age)) },
-        })
-      }
-    }
-
-    // Miss — fetch and cache
-    const response = await next()
-    if (response.status === 200) {
-      const body = await response.text()
-      const headers: Record<string, string> = {}
-      response.headers.forEach((v, k) => { headers[k] = v })
-      await store.set(cacheKey, { body, headers, status: response.status, createdAt: now })
-      return new Response(body, {
-        status: response.status,
-        headers: { ...headers, "X-Cache": "MISS" },
-      })
-    }
-    return response
-  }
-}
-
-async function revalidate(key: string, store: CacheStore, next: () => Promise<Response>): Promise<void> {
-  try {
-    const response = await next()
-    if (response.status === 200) {
-      const body = await response.text()
-      const headers: Record<string, string> = {}
-      response.headers.forEach((v, k) => { headers[k] = v })
-      await store.set(key, { body, headers, status: response.status, createdAt: Date.now() })
-    }
-  } catch {
-    // revalidation failed, stale entry stays
-    const entry = await store.get(key)
-    if (entry) entry.revalidating = false
-  }
-}
-
-/** Invalidate cached entry by path */
-export async function invalidateCache(path: string): Promise<void> {
-  const keys = await defaultCacheStore.keys()
-  for await (const key of keys) {
-    if (key.startsWith(path)) await defaultCacheStore.delete(key)
-  }
-}
-
-/** Clear all cached entries */
-export async function clearCache(): Promise<void> {
-  await defaultCacheStore.clear()
-}

package/src/server/compress.ts

@@ -1,60 +0,0 @@
-// Response compression middleware — gzip/deflate
-// Uses Web Streams API (native in Bun)
-
-import type { MiddlewareFn } from "./middleware.ts"
-
-const COMPRESSIBLE_TYPES = new Set([
-  "text/html",
-  "text/css",
-  "text/javascript",
-  "application/javascript",
-  "application/json",
-  "text/xml",
-  "application/xml",
-  "image/svg+xml",
-])
-
-function isCompressible(contentType: string | null): boolean {
-  if (!contentType) return false
-  const type = contentType.split(";")[0]!.trim()
-  return COMPRESSIBLE_TYPES.has(type)
-}
-
-export function compress(): MiddlewareFn {
-  return async (_ctx, next) => {
-    const response = await next()
-    const contentType = response.headers.get("content-type")
-
-    if (!isCompressible(contentType)) return response
-    if (response.headers.has("content-encoding")) return response
-    if (!response.body) return response
-
-    const acceptEncoding = _ctx.request.headers.get("accept-encoding") ?? ""
-
-    if (acceptEncoding.includes("gzip")) {
-      const compressed = response.body.pipeThrough(new CompressionStream("gzip"))
-      const headers = new Headers(response.headers)
-      headers.set("Content-Encoding", "gzip")
-      headers.delete("Content-Length")
-      return new Response(compressed, {
-        status: response.status,
-        statusText: response.statusText,
-        headers,
-      })
-    }
-
-    if (acceptEncoding.includes("deflate")) {
-      const compressed = response.body.pipeThrough(new CompressionStream("deflate"))
-      const headers = new Headers(response.headers)
-      headers.set("Content-Encoding", "deflate")
-      headers.delete("Content-Length")
-      return new Response(compressed, {
-        status: response.status,
-        statusText: response.statusText,
-        headers,
-      })
-    }
-
-    return response
-  }
-}

package/src/server/etag.ts

@@ -1,23 +0,0 @@
-// ETag support for static file serving
-// Generates weak ETags based on file size + modification time
-
-import { stat } from "node:fs/promises"
-
-export function generateETag(size: number, mtimeMs: number): string {
-  return `W/"${size.toString(16)}-${Math.floor(mtimeMs).toString(16)}"`
-}
-
-export async function fileETag(filePath: string): Promise<string | null> {
-  try {
-    const s = await stat(filePath)
-    return generateETag(s.size, s.mtimeMs)
-  } catch {
-    return null
-  }
-}
-
-export function isNotModified(request: Request, etag: string): boolean {
-  const ifNoneMatch = request.headers.get("if-none-match")
-  if (!ifNoneMatch) return false
-  return ifNoneMatch.split(",").some((t) => t.trim() === etag)
-}